Building A Cyber Security Budget and Roadmap

Building A Cyber Security Budget and Roadmap

As the end of the calendar year approaches, many cybersecurity departments are working on cyber security budget and roadmap for next year. Yet, these same teams are also likely to be busy wrapping up their projects before year end. It is against this backdrop that we would like to share with you a story of a customer who recently approached our team with this challenge: To create a security program budget and twelve-month roadmap. The catch? Do it in seven business days or less.

In the following paragraphs, we describe what the customer provided at the start, how we mapped relevant information towards their particular framework of choice, and how we leveraged our TrustMAPP tool to generate a prioritized budget, containing both budget figures and also the resources needed to bring the next year’s proposed security projects to fruition.

Starting with a Baseline

The customer wanted to use a previous risk assessment as a high-level program baseline with identified gaps. However, the assessment was a general IT controls assessment and security was only a small section in the report. To further complicate matters, the assessment results and data were, of course in PDF format, which would have required significant manual effort to leverage the results to create a plan and roadmap.

The risk assessment report did, however, list areas for improvement that guided initial scores for the baseline. We agreed that the overall goal was to find a way to use the assessment data as part of a meaningful budget and roadmap that aligned with the customers’ business objectives for the coming year.

Mapping Findings From Prior Report

The TrustMAPP team quickly reviewed the report and began to map findings from the assessment to the NIST Cyber Security Framework (NIST CSF). The NIST CSF framework was not only the customer’s preferred control framework, but also the mechanism by which the various security activities would be reported on and managed to in the future.

Once we had the data from the previous assessment mapped to the NIST CSF, we were able to populate the same data fields in the NIST CSF process template in the TrustMAPP tool. Once in TrustMAPP, we could very quickly generate estimates for improvements based on a third-party validated assessment.

Time to complete this task: 2 hours to map assessment data from the PDF report and enter those values into the NIST CSF template in TrustMAPP.

Gaining Insights and Building a Plan

At this stage, using the pre-built analytics in TrustMAPP, our team could readily produce a prioritized roadmap based on the business objectives established – ahead of time – for the security program (in this case, GDPR Readiness, FIPS compliance, and HIPAA). The analytics produced a prioritized list of estimated resource requirements (both internal and external) along with estimating capital expenditures (hardware, software, training) required to meet the objectives in the coming fiscal year.

Time to complete this task: 2 hours to complete the planning and roadmap development.

Develop Customer Presentation

Using the output from TrustMAPP’s pre-built analytics and intelligence the team was able to quickly generate estimated budget requirements. The customer received a graphical high-level security program roadmap to communicate these initiatives, associated budget and timelines.

Time to complete this task: 2 hours to generate a prioritized roadmap of security activities, complete with the required levels of effort and investment.

A Budget Proposal in Six Hours?

All told, the entire process was completed in about six hours. Compare the scenario we just shared to the time consumed and frustration generated by manually-produced budgets, which we estimate to be about 120 hours based on our own experience and feedback from existing customers.

TrustMAPP not only expedites the production of next year’s budget figures and justification, it can also track and report progress, your maturity, as you work to implement your plan to show value. Reduce manual effort and also elevate your discussions about cybersecurity.